expose SBOM component in the attestation #1311
Description
We do not add the component for which the SBOM was generated against. This is stored inside the SBOM itself in the component structure (at least in cycloneDX generated by syft)
We should expose this information in the material metadata in the attestation so it can be used during attestation-level policies.
Example generated by Syft - controlplane.cyclonedx.json
"component": {
"bom-ref": "88a274282e21aefe",
"type": "container",
"name": "ghcr.io/chainloop-dev/chainloop/control-plane",
"version": "v0.96.7"
}
}Example generated by Trivy (note this one also adds a digest)
note that we need to look into the component output for other components, like file
{
"$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:f5b4ce1e-fd61-4bf7-95a2-0d8bce01cf8e",
"version": 1,
"metadata": {
"timestamp": "2024-09-12T12:58:52+02:00",
"tools": {
"components": [
{
"type": "application",
"author": "anchore",
"name": "grype",
"version": "0.80.0"
}
]
},
"component": {
"bom-ref": "af63bd4c8601b7f1",
"type": "file",
"name": "."
}
}Metadata
Metadata
Assignees
Labels
No labels